
ad6f748484e40188a5fa89ad261e1776.ppt
- Количество слайдов: 18
Fermilab TIssue and AV Detector Computer Security Awareness Day September 29, 2009 1
Agenda • • • Why are we here? Current environment How are machines getting infected? Improvements (timeline) Weekly AV scan changes What is TIssue? AV Notice TIssue Detector Rebuilds vs fixes AV service enhancements Help us to help you Blocked? Getting help… Questions? Computer Security Awareness Day September 29, 2009 2
Why Are We Here? AV Protection for ~3000 Windows systems Volume of AV notices via Email ◦ ~1000 per month A single machine can generate several notices Too many for any one person to filter by hand ◦ Manual response Can be unreliable No priority No official procedures prior to May 2009 Tune IT Up requirement Computer Security Awareness Day September 29, 2009 3
Current Environment Symantec AV corporate edition 10 ◦ multiple parent servers to support Fermilab ◦ servers report into a central AV Report server ◦ system is configured to download and advertise new signature files every 15 minutes If away from the lab: clients are configured to download new sig files from Symantec once a day ◦ clients are configured to perform a full scan once a week (most are set for Tuesday 2 AM) ◦ clients use heuristics in addition to the standard signature based realtime protection. Computer Security Awareness Day September 29, 2009 4
How are machines getting infected? AV alone cannot cover all malware ◦ Malware being written at a high rate, a challenge for AV manufactures to keep up ◦ Now needed - Antivirus, Antispyware, firewall, intrusion prevention, device and application control ◦ Local admin permissions Domain and local accounts ◦ USB devices Autorun & Autoplay can allow malware ◦ Web browsing Business need web browsing Non-business casual web browsing Computer Security Awareness Day September 29, 2009 5
How malware like Confiker can get in Norma l web s urfing re run s in m em Malwa Re qu es Attem pt to t. R ory Malware oo tki t fr om the clo u Malware d write R ootk AV does real-time file scan after file is closed it to file s ystem Malware Computer Security Awareness Day September 29, 2009 6
Improvements (timeline) Web Proxy Server ◦ Applied to 98% of the network subnets at the lab Disable Autorun ◦ prevents malware from auto-running on USB device insertion Restricting web access via domain ◦ Applies to machines with critical business needs Restore points - 2 options ◦ disable restore to remove malware, then re-enable ◦ rebuild Weekly AV Scan changes – next slide Computer Security Awareness Day September 29, 2009 7
Weekly AV Scan changes Scans may be postponed four times ◦ instead of cancels Tested new setting for several weeks with no problems Staged rollout throughout the end of the year Computer Security Awareness Day September 29, 2009 8
What is TIssue? Tracking Issue workflow system ◦ ◦ Strong Authentication violations OS patching levels Network inventory Antivirus Notices Monitors the central logging repository ◦ Blocks are issued based on parameter settings Computer Security Awareness Day September 29, 2009 9
TIssue Overview diagram Registered system administrators will get notified Issue must be properly remediated or the system will be blocked You will be blocked again if the problem is not actually fixed Computer Security Awareness Day September 29, 2009 10
Example of a TIssue Blocking email This email is automatically generated, do not reply. The system listed below is registered to you as a sysadmin. A network block for this system (described below) has been requested by Computer Security. Please visit: https: //nimisrva. fnal. gov/WF/TIssue/event_mgr/display. Remediation. Form? machine_id=34754 to view more details about the vulnerability found and to enter the action taken to fix the vulnerability. Note: If this event is not remediated, the system will be blocked from network access at None Here is a description of the host/sms check: IP Address: 131. 225. xx MAC Address: 00: 00: 00 Node name: xxxxx Affiliation: xx/xx/xxxxxxxxx Last found: 2009 -09 -22 13: 08: 41 Issue: Virus Found (Blocking Event) Additional Info: Class/Action/Location trigger: Host: xxxxxx IP: 131. 225. xx USER: xxxxx Class/Action/Location triggers: Infostealer=Security Update for OS Microsoft Windows>>KB 390496. exe (Cleaned by Deletion ) THIS IS A BLOCK EVENT. If you experience difficulties resolving this issue or require additional assistance, please contact the FNAL Service Desk (x 2345) to open a ticket to be routed to your local desktop or server support group. Computer Security Awareness Day September 29, 2009 11
AV Notice TIssue Detector Previously each notice was manually reviewed Now automated - virus notices are sorted and filtered ◦ Notices are flagged that require follow-up o o All other AV notices are ignored Started by using criteria that matched our current AV experience Criteria changes will be made from Windows Policy Committee proposal vote Computer Security Awareness Day September 29, 2009 12
AV Notice TIssue Detector - Settings Follow-up criteria ◦ Virus type blocks Root kits, keyloggers, information stealing, etc ◦ File location blocks Operating system, application program, etc Departmental file servers are exempt from blocks Computer Security Awareness Day September 29, 2009 13
Wipe & Rebuilds versus Fixes Number of rebuilds are small versus the number of identified viruses Rebuild if virus types meet criteria ◦ such as Hacktool. Rootkit & downadup (aka Confiker) Rebuild if infected files are in protected system areas ◦ such as Windows, WINNT, System 32 Fix if virus is in restore point Ignore notices in temporary internet file areas and non-system areas Computer Security Awareness Day September 29, 2009 14
AV Service enhancements Working with vendor to identify detected malware Review and upgrade current solution ◦ Endpoint Security Protection Antivirus Antispyware Firewall intrusion prevention device and application control Computer Security Awareness Day September 29, 2009 15
Help us to help you If you are blocked please tell us if: ◦ you have recently borrowed a flash-drive/memory stick ◦ you have opened an email attachment especially from your non-Fermi account ◦ you have browsed business related web sites ◦ you have browsed casual web sites Providing detailed information may help problem resolution and future enhancements Computer Security Awareness Day September 29, 2009 16
Blocked? Getting help… Email notice goes to the registered system administrator ◦ When your machine gets blocked you may not receive an email notice. Contact the Service Desk at x 2345 ◦ If you suspect you have been blocked ask that the TIssue site be checked Need to provide username, nodename, IP address etc. Computer Security Awareness Day September 29, 2009 17
QUESTIONS? Thank you for attending! Computer Security Awareness Day September 29, 2009 18
ad6f748484e40188a5fa89ad261e1776.ppt